I understand that most stream ciphers, due to being applied with a simple XOR, are specially fragile against data tampering, and must be used with some MAC mechanism. So I am investigating the use of UMAC for this purpose.

I also understand that UMAC works by XORing an universal hash function based on a secret key with a pseudo-random number generated with AES and a nonce:

$ Tag = U_{k1}(M_{clear}) \oplus AES_{k2}(nonce)$

The thing is: since I already have my stream cipher setup, can I just take hash $H_{k1}(m)$ and encrypt it by XORing with the pseudo-random output from the stream cypher plaintext, the same way done with the plain text?

1 Answer
1

The strength of UMAC depends on the strength of its underlying cryptographic functions: the key-derivation function (KDF) and the pad-derivation function (PDF). In this specification, both operations are implemented using a block cipher, by default the Advanced Encryption Standard (AES). However, the design of UMAC allows for the replacement of these components. Indeed, it is possible to use other block ciphers or other cryptographic objects, such as (properly keyed) SHA-1 or HMAC for the realization of the KDF or PDF.

This is how Poly1305, another MAC based on universal hashing, is used in NaCl, for example: it uses the first 32 bytes of cipher stream as a one-time key for MAC, and the rest of the stream for encryption.

The advantage of applying hash to ciphertext instead of plaintext is that you can reject invalid ciphertexts earlier without decrypting them, making rejection faster and, possibly, more resistant to side channel attacks, and implementation errors (e.g. forgetting to check the return code of decrypt() function, which indicates whether the MAC was correct).